When discussing Information Security, access control refers to the restriction of particular resources or locations. Accessing may relate to opening, editing, viewing or using a resource.
Access control guarantees you will know who is granted permissions to view and change documents, as well as having physical abilities to enter the organisations premises and buildings.
Your information security management system (ISMS) revolves around who in your organisation can get access to the right information at the right time. This is why access control is so important.
There needs to be procedures in place that will prevent just anybody accessing and using their resources in order to minimize risk or threats entering the organisation.
There are some major implications if you accidentally open access of personal information of your employees to unauthorised personnel. For example, releasing salary or wage information to the public. This is major risk to your business.
Beside the benefits of knowing who in your organisation has permission to access certain documents, having strong access control measures will mean you are more likely to get certified to ISO 27001, and with this, gain an increased trust by customers as they will know their information is being protected.
There are three main types of access control you can use in order to control how people view your system. The three ways are;
This refers to a control system whereby the business owner has control over who has access to what, whether this be digitally or physically. It is a user-friendly option for access control because the administrator will have the power to manage roles centrally. If you choose to use this type of access control, each entry point will have an access control list (ACL) listing groups or individuals who have access to enter.
This type of access control is most common in organisations that require an increased emphasis on the confidentiality of their data. It is the strictest option, and is often used by governmental or military entities. If using this type of access control, all end users will be typically classified and provided with label allowing them access. This could be through a swipe card, or keypad.
This type of access control is sometimes known as non-discretionary, because it grants entry to users based on their role within the organisation. Because of this, you can easily and effortlessly assign access to specific people according to their job title. An advantage of using this type of access control is around promotions. If someone in your organisation gets a promotion, and someone new is hired to fill their old role, you can use the changing position to assign keycard access to areas where appropriate.
The type of access control your organisation chooses to use will be dependent on the industry you are operating in, and the size of your organisation. If your organisation has small or basic applications, you may find it beneficial to use DAC. On the other hand, if your organisation has highly confidential or sensitive information within your business platform, you may be better off using a MAC or RBAC.